Facebook has taken on a group of hackers in China that target the Uyghur ethnic group with cyberespionage activity.
The hacking group, known as Earth Empusa or Evil Eye, was targeting activists, dissidents and journalists involved in the Uyghur community, primarily those living abroad in Australia, Canada, Kazakhstan, Syria, Turkey and the United States, among other countries, by using fake Facebook accounts for fictitious people sympathetic to the Uyghur community. Facebook said Wednesday that the group was sending malicious links in Facebook messages that, if clicked, led to espionage-focused malware infections.
The malicious links led to look-alike domains for popular Uyghur and Turkish news sites, according to Facebook, as well as to compromised legitimate websites.
This was all undertaken with selective targeting, according to the post: “This group took steps to conceal their activity and protect malicious tools by only infecting people with iOS malware when they passed certain technical checks, including IP address, operating system, browser, and country and language settings.”
Android Malware Attacks
Facebook took down the fake profiles, but it also found websites set up by the group that mimic third-party Android app stores, where they published Uyghur-themed applications. These included a keyboard app, a prayer app and a dictionary app, according to the posting, which were trojanized with two Android malware strains — ActionSpy or PluginPhantom.
The Uyghurs, a Turkic minority ethnic group affiliated with Central and East Asia, have previously been targeted in other mobile spyware attacks, including by an ActionSpy campaign seen as recently as June.
Analysis on the latest Android malware found that Beijing Best United Technology Co. and Dalian 9Rush Technology Co. are the developers behind some of the tooling deployed by Earth Empusa, according to Facebook.
“These China-based firms are likely part of a sprawling network of vendors, with varying degrees of operational security,” the two wrote, adding that FireEye lend threat intelligence insight that informed Facebook’s assessment.
“FireEye uncovered an operation targeting the Uyghur community and other Chinese speakers through malicious mobile applications that were designed to collect extensive personal information from victims including GPS location, SMS, contacts lists, screenshots, audio and keystrokes,” said Ben Read, director of analysis at Mandiant Threat Intelligence, via email. “This operation has been active since at least 2019 and is designed for long term persistence on victim phones, enabling the operators to gather vast amounts of personal data.”
He added that FireEye believes the activity is state-sponsored. “On several occasions, the Chinese cyber espionage actors have leveraged mobile malware to target Uyghurs, Tibetans, Hong Kong democracy activists and others believed to be threats to the stability of the regime,” he said.
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)